You are here

Can FOSS save your privacy?

The Bush administration has already claimed “we don’t need no steenkin warrant” to listen to your phone calls, see what websites you visit, scan your emails, and now, with the revelation of a new “signing statement”, it’s even claiming the authority to read your physical mail.

Yes, our privacy is under assault.

However, just because your privacy is being threatened doesn’t mean you have to accept it. There is a growing array of FOSS being developed to provide us with the ability to control our privacy. It’s about time we all start using it.

Email

Probably the granddaddy, and best known, of all privacy programs is Pretty Good Privacy (PGP) developed by Phil Zimmerman (who the government tried to prosecute to stop its release). Its FOSS equivalent is now the GNU Privacy Guard, which not only will encrypt your email, but just about all other forms of data as well. It works with Thunderbird and most email clients. But while ubiquitously included in most Gnu/Linux distros, like seatbelts and condoms, it provides you no protection unless you use it.

This is where services like Hushmail have stepped in to make email encryption painless and transparent for users. It automatically encrypts email between Hushmail users, but can also work with other clients which provide compatible public keys.

So stop sending those “electronic postcards” over the internet and start using email encryption.

VoIP

If you’re a participant on a call that at anytime travels through the air the NSA (National Security Agency) is out there sucking it up. But, even the NSA can’t understand what it can’t decrypt. Cell phone calls provide no security because cell phone companies don’t encrypt those calls. Phil Zimmerman has again done us all a favor and created the Zfone Project.

Even though Skype (which is proprietary) and Gizmo (which is OSS) both provide encryption of VoIP calls over their networks, as soon as you call out of their networks the call is in the clear. Zfone aims to make (currently only) SIP calls secure and private by having the call participants be able to encrypt the end-to-end call no matter what network it travels through. When this becomes fully realized and mainstream incorporated into VoIP phones (hardware and software) and Asterisk based servers, this will mean that VoIP calls will be inherently more secure than regular telecom phone calls.

When WiMAX (basically ubiquitous wireless cable internet access) becomes fully deployed (starting in 2007) this will mean the preferred way to make calls will be via VoIP. Why? Because all calls will then be essentially free AND inherently secure at the same time.

Websurfing

Don’t like leaving a trail of your internet travels? If you want, you can use a paid service like anonymizer.com, which was one of the first of its kind. However, for most people there is a better FOSS alternative, the Tor Onion network. In fact, Tor is a complete suite of tools that will anonymize other TCP based services (IM, IRC, and SSH) as well.

I personally have Tor set up to run on Linux and XP using the “torbutton” add-on (what used to called an extension) with Firefox, which allows me to enable or disable browsing via the Tor Onion network (which will slow surfing some). But if you don’t want Dick Cheney looking over your shoulder as you surf this is well worth it.

This is but a short list of FOSS projects we can use to retain our dwindling privacy. As long as we live in a climate where “probable cause” is more likely to be the name of a punk band than a legal requirement for the government to meet before it can snoop on us, we’ll all have to take personal responsibility for securing our own privacy.

Comments

This could be useful also in countries like China (Big Chinese Firewall) or Brazil (where we could be prohibited to see YouTube videos only 'cause a Cicarelli girl decided to have... well... sex on the beach and was filmed and the video was posted in YouTube).

Regarding mobile calls: They may be unencrypted although your phone should then indicate this. OTOH, the algorithms commonly used right now to encrypt the traffic over the air are not terribly secure and there are even web sites claiming to sell real-time decryption hardware (http://www.ewa.com/prodSvcs.html) so I'm pretty sure the NSA can build one of their own. Algorithms used in WCDMA and in upcoming GSM products are more secure (not saying absolutely secure...).

Note that (almost) as soon as traffic is in the network, it is no longer encrypted, GSM calls are only encrypted over the air between phone and base station (GPRS data for GSM is encrypted up to the SGSN), while in WCDMA it's encrypted up to the RNC (all traffic types).

Now though, why would they go around and snoop on calls over the air like that? Probably because snooping calls on the air lets them avoid having to get a court order for interception. All mobile phone switches have a feature for "lawful interception" (basic specs for GSM and WCDMA/UMTS are available at www.3gpp.org), which in civilized countries requires a court order to use.

While it may be fun, and easy, to take pot shots at the current administration let's not forget that Bill Clinton (a Democrat) pushed very hard for the "Clipper Chip" to provide encryption which would have been used in ALL communication devices under penalty of Federal Law. Of course the "Clipper Chip" had a nice big back door that could be opened at will by your friendly government to eavesdrop on any digital, or analog, communication.

Then there was the "Fritz Chip" pushed by Democrat Fritz Hollings which, while not directly able to be used by the government for eavesdropping was going to allow Hollywood Inc. to effective control what you could, or could not, do with your own computer hard ware.

Basically don't trust any of the Washington crowd, Democrat or Republican.

Better yet, for an article like this it is best to keep your political leanings out of the dialog, and just talk about government in general, since it really does NOT matter which party is in power.

privacy free software usually implement Cryptography Standards compliant algorithms (like AES ...etc) which have been reviewed and approved by gov security agencies and I've been told by a system administrator that western govs only allow the use of approved encryption techniques which they can circumvent or break in less than 4 seconds. As far as I know PGP's author Phil Zimmermann has had troubles with the US export regulation which let to criminal investigation.

The AES (Advanced Encryption Standard) algorithm was selected by the US National Institute of Standards and Technology (NIST) after a 5 year open process to find a government replacement algorithm for DES (Data Encryption Standard). There are no known exploits of the algorithm, which means the only known way to mathematically recover a key is thru a brute force attack. Thus, the NSA, KGB, MOSAD, et al, have not cracked the algorithm. One way to find out about what's going on in the security/encryption world is to subscribe (its free) to Bruce Schneier's Crypto-Gram monthly newsletter here. And as Schneier emphasizes, security is a process, not algorithms.

As for cell phone calls, they ARE NOT ENCRYPTED to the users. There is no standard encryption protocol which every vendor uses to pass on calls from their network to others, and in fact, calls made among people on the same network are not end-to-end encrypted.

One of the security features of Skype and Gizmo is they claim all calls between people on their networks are encrypted. Once you call out of their networks, just like regular telecom calls, the calls are in the clear, and thus can be intercepted as plaintext.

This is where Phil Zimmerman's Zfone proposes to solve this problem, as it acts as a client-to-client protocol which works inside the client's phone (hard or soft). Thus, whether the network being used encrypts the calls or not, Zfone encrypts the call in the client's phone, checks with the receiving client to see if it also is a Zfone client, authenticates the user if it is, makes an encrypted handshakes and transmit the encrypted call. With a change in the underlying protocol (currently only designed to run with SIP networks) it could be made to work with cell phone technology, if the telecoms were interested in doing so. And they WOULD BE if enough users expressed the demand for this as a feature.

Thus, VoIP calling is the only current way to make transparent, encrypted, general calls. Thus, if you are concerned about your conversations being tapped, and you don't have access to a special secure phone network, and you believe that Skype, Gizmo, et al, haven't been compromised yet, then use them to make secure calls.

When WiMAX (or whatever wireless broadband service(s) wins) becomes widely available, and people have essentially ubiquitous broadband wireless internet access, then maybe the cell phone companies will be compelled to provide Zfonelike features for their networks too. Why pay to make an insecure cell phone call when you can make a free, secure VoIP call that has better quality?

Sysadmins are the ultimate authority on encryption and western governments after all.

As the other reply to your post said, we know why the algorithms we use are hard to crack, the NSA didn't make them. While it is possible that western governments have made huge bounds in maths that we don't know about, I'm somewhat skeptical.

Free software implements other algorithms too (like Blowfish). And I'm not sure what you are getting at with Phil Zimmermann. If you are saying that he had trouble because his stuff was not crackable by the government, you should realise he used no new algorithms.

Whether or not PGP encryption can be cracked depends on several variables, IMHO. Firstly, the strength of the key one creates. I use and recommend going with the strongest key generation available. Secondly, one must consider whether or no the private key is maintained in a safe and secure remote location. Thirdly, the length and complexity of the passphrase used. Certainly something like "abc123" or the name of your spouse isn't going to offer much security.

I have read of a couple different people under federal criminal indictment who have refused to surrender passphrases for material on hard drives. Thus far, the data has not been decrypted and the individuals have chosen to remain incarcerated for a mere "contempt of court" for refusing to surrender the passphrase.

In my own opinion, the more my government attempts to take my personal privacy, the more I will employ every measure possible to make their work more difficult. So long as President Bush makes even the "visitor logs" for the White House "secret," (since telling us he had met Jack Abramoff "a couple of times," while the White House visitor log showed he was there on many occasions) I think there are more urgent intelligence needs than looking at my personal email.